In the realm of Operational Technology (OT), cybersecurity is a top priority as the pace of digital transformation increases. With critical infrastructure at risk, three key standards—NIS2, CRA, and IEC 62443—have emerged to strengthen the OT sector against cyber threats. These standards work together to create a unified front in OT cybersecurity, ensuring that organizations are well-equipped to combat evolving challenges in the digital landscape.
NIS2, or the Network and Information Systems Directive 2, builds upon the original NIS legislation to include vital sectors like energy, water, and transportation. This expansion introduces stricter security requirements and incident reporting obligations, emphasizing supply chain security and EU-wide cooperation. For OT systems, NIS2 mandates an appropriate level of security to protect critical infrastructure effectively.
CRA, the Cyber Resilience Act, focuses on protecting consumers and businesses using products or software with digital components, which are commonly found in OT environments. Manufacturers and retailers must comply with CRA’s cybersecurity requirements throughout a product’s life cycle, ensuring that network-connected products meet elevated security standards that complement NIS2’s efforts.
IEC 62443, a global best practice, provides tailored cybersecurity standards for Industrial Automation and Control Systems (IACS) and OT. This standard addresses unique security challenges in industrial environments, implements a defense-in-depth model for robust cybersecurity management systems (CSMS), and assists in risk assessments to choose appropriate security products and service providers effectively.
To illustrate the impact of these standards on OT cybersecurity, imagine a medieval kingdom where NIS2 represents the kingdom’s laws and policies, CRA is akin to the blacksmiths’ guild forging quality weapons and armor, and IEC 62443 embodies the master builders and engineers constructing strong fortifications. Together, these elements form a robust defense system for the kingdom, ensuring that all aspects of security are covered effectively.
In terms of timelines, CRA was approved by the European Parliament in March 2024 and is expected to be enforceable around 2027. NIS2 requires Member States to adopt and publish compliance measures by October 18, 2024, while IEC 62443 was approved as ‘horizontal standards’ in 2021, ensuring its use as the foundation for cybersecurity requirements in sector-specific standards for OT.
By harmonizing their efforts, NIS2, CRA, and IEC 62443 create a comprehensive cybersecurity ecosystem for OT. NIS2 focuses on operational resilience, CRA ensures product security, and IEC 62443 offers technical guidance for securing industrial control systems. Together, they strengthen the resilience of the OT sector against cyber adversaries, providing organizations with a structured approach to managing cyber risks across various industries.
Vinny Sagar, a Solution Architect at swIDch, with over 15 years of experience in identity and cybersecurity, highlights the importance of these standards in ensuring a secure OT environment. By adopting NIS2, CRA, and IEC 62443, organizations can enhance their cybersecurity posture and protect critical infrastructure effectively in the face of evolving cyber threats.